Calling SearchAllIamPolicies

gcloud

You can call SearchAllIamPolicies using the
gcloud asset search-all-iam-policies
command. You must be running Cloud SDK version 278.0.0 or newer. You can
check your version with the gcloud version command.

"resource : projects/123456": to find Cloud IAM policies
that are set on "projects/123456".

(Optional) PAGE_SIZE: The page size for search result
pagination. The maximum is 2000. If the value is set to 0, an
appropriate default will be selected.

(Optional) PAGE_TOKEN: The token representing the next batch of
results from the preceding call to this method. The page_token must be
the same as the value of next_page_token from the preceding call's
response.

Note: You can only search IAM policies that are set on the searchable resource types.
The following are example gcloud commands.

Find all Cloud IAM policies in
your organizations/123456 that contain the mycompany.com domain:

api

You can call SearchAllIamPolicies using a valid OAuth token for a project.
To call the SearchAllIamPolicies method from Cloud Shell or any
console where the gcloud command is available:

If you haven't configured your project's OAuth consent screen, you'll
need to do so. An email address and product name are required for the
OAuth consent screen.

Don't enter any confidential information on the OAuth consent
screen. Any information you save to the OAuth consent screen may be
publicly visible for anyone who accesses your URL. Email and product
details are displayed on the login screen and when someone tries to
access a resource for which they don't have permission.

SCOPE is required. The search result scope is limited within a
project, folder, or organization. You must have the
cloudasset.assets.searchAllIamPolicies
permission granted to the caller for the desired scope.
The allowed values are:

"resource : projects/123456": to find Cloud IAM policies
that are set on "projects/123456".

(Optional) PAGE_SIZE: The page size for search result
pagination. The maximum is 2000. If the value is set to 0, an
appropriate default will be selected.

(Optional) PAGE_TOKEN: The token representing the next batch of
results from the preceding call to this method. The page_token must be
the same as the value of next_page_token from the preceding call's
response.

How to construct a query

Query Cloud IAM policies by binding information

To search Cloud IAM policies, a query expression will be in the
following format:

policy : QUERY

Note: The query string is compared to each Cloud IAM
policy binding, including its
members, roles, and Cloud IAM conditions. The
returned Cloud IAM policies, will only contain the bindings that match
your query.

Member

You can limit your query to policies related to a specific user by using the
following syntax:

Service accounts, such as
serviceAccount:my-other-app@appspot.gserviceaccount.com

Special identifiers, such as allUsers and allAuthenticatedUsers

Note that you can omit the user: or group: prefix in a query string if the
query value is unique enough or if you want to search for the tokens regardless
of the member type. For example, the following query will likely only match a
user: